NTP BUG 3383: Stack Buffer Overflow from Command Line (WINDOWS installer ONLY)

Last update: June 27, 2022 20:45 UTC (51d68a4aa)

Summary

Resolved 4.2.8p10 21 Mar 2017
References Bug 3383 CVE-2017-6452
Affects Windows installer ONLY: All versions of the ntp-4 Windows installer, up to
but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94.		 Resolved in 4.2.8p10.
CVSS2 Score LOW 1.0 AV:L/AC:H/Au:S/C:N/I:N/A:P
CVSS3 Score LOW 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L

Description

The Windows installer for NTP calls strcat(), blindly appending the string passed to the stack buffer in the addSourceToRegistry() function. The stack buffer is 70 bytes smaller than the buffer in the calling main() function. Together with the initially copied Registry path, the combination causes a stack buffer overflow and effectively overwrites the stack frame. The passed application path is actually limited to 256 bytes by the operating system, but this is not sufficient to assure that the affected stack buffer is consistently protected against overflowing at all times.

Mitigation

Credit

This weakness was discovered by Cure53.

Timeline